I got an iPhone

If you’ve heard me make comments about Apple, you might have thought I would be one of the last people in the world to get an iPhone. I might have thought so too.

Ever since I had a few bad experiences with Macs back in college (late 90′s), I have pretty much avoided and looked down on anything with the Apple logo. In the last couple years those annoying, misleading, and downright false Mac-vs-PC advertisements have only reinforced that tendency. On top of that, I can’t stand the zealotry that Apple seems to inspire in many of ill-informed its users. And that branding strategy of putting a lowercase-i in front of any common word to make it their own? iHateIt.

But aside from their marketing I do have to admit that Apple has come a long way in the last 10 years. They have a real OS that runs on mostly-standard hardware components, their hardware engineering is very impressive, and they seem to be very in touch with what is important to mainstream consumers. So given all this I finally had to ask myself… Was I as big of an anti-Apple zealot as the pro-Apple flock I looked down on? Certainly not. :) But… was I being unfairly close-minded toward Apple? Probably.

When the original iPhone came out last year, I was aware of the hype but I mostly ignored it for its Appleness. Anyway that wasn’t hard to do because while it looked slick, it had far less functionality than the phone I already carried. But the new "iPhone 3G" changed that in a few important ways: (1) I can sync my work (Exchange) email and calendar over the air. (2) 3G data speeds for fast web browsing. (3) The platform is opened up to 3rd-party developers to write new applications.

My overall impression after using it for 3 days is that it’s clearly a leap beyond anything else currently available. You can be sure that competitors will be playing catch-up for the next couple years — initially with some thin shells on top of the same old thing, but eventually with some real advances. Isn’t competition great? You can read plenty of people’s impressions on the web so I won’t repeat everything, but I’ll point out a few things that especially disappointed or impressed me. For comparison I’ve been using Windows Mobile phones for the last 3+ years.

Bad:

• No flags in email. I rely on flags to track which emails I need to follow-up on. I’m still not sure what I’ll do instead to track my important emails.
• The unlock/home screen doesn’t show upcoming appointments and unread message info. I have to unlock the phone and open the calendar app to see where and when my next meeting is.
• No support for sending or receiving picture messages (MMS). Very strange for a device which is all about multimedia. Yeah you can use email as a substitute but only if the person you’re sending to or receiving from has email on their phone.

Good:

• The headphone jack works with ordinary headphones. This shouldn’t even be worth mentioning except that many phone manufacturers persistently use proprietary connectors.
• The screen is big and beautiful while the overall phone is still small. It can get VERY bright and is unusually readable in direct sunlight.
• As advertised, the web-browsing experience (over 3G or WiFi) is remarkably great for the size of the device. It’s the first phone I’ve had where I might use it to browse the web not out of necessity because I’m out somewhere, but just because I don’t feel like getting up and walking over to the PC in the next room.

Support for 3rd-party apps means there is still a lot more in store for the iPhone. The SDK has only been available to developers for a few months and already there are some pretty cool applications. The user base of 3 million+ iPhones (and iPod Touches), combined with the store integrated into the phone in a way that makes impulse purchases VERY easy, will ensure that many developers will want to target the platform.

The one app I’m most looking forward to is a good e-book reader. Fortunately Mobipocket says they’re already working on it. Also, I’d really like some kind of family-planning/calendaring solution. My girlfriend and I are both planners (her more than I) and we currently use calendar.live.com which has some really nice sharing features, but it isn’t accessible from a phone. A rich integrated multi-calendar implementation from Apple would be ideal, but a 3rd-party app could get most of the way there. At that point I think I’d have to get her an iPhone too.

Contactless payment security

In yesterday’s blog entry, I wrote about contactless payments. I promised to follow it up by addressing security and privacy concerns you might have about the system. I’ll start with security.

There are basically two results a malicious attacker might want to achieve by exploiting the contactless nature of this kind of payment system:

1. To make charges to your account at the attacker’s "store" without your knowledge or consent.
2. To surreptitiously steal your credit card number for later use to make purchases with your account or otherwise impersonate you.

Unfortunately for the would-be criminal, and fortunately for you, the first attack is ineffective, and the second attack is impossible! Why?

It might not be what you’re thinking. We should ignore the helpful restriction that the super-low-power communication requires the RFID chip to be within a couple centimeters of the reader, so it would be difficult for someone to activate it without you noticing — maybe you’re on a Tokyo subway car at rush hour and it’s perfectly expected to have strange people and things pressed up against you on all sides. Also, let’s even put aside the fact that all the RF communications are strongly encrypted — maybe the attacker has a device that can trick the payment token into thinking it’s a valid merchant, allowing it to participate in the encryption.

Credit card companies provide two very simple mitigations for attack #1 above. First, any reputable card-issuer does not hold consumers liable for fraudulent charges (often this is enforced by law). And second, any merchant with many reports of fraudulent charges is very quickly going to have their credit card acceptance privileges revoked, probably before they even receive the funds. Although this does not absolutely prevent a very determined troublemaker from briefly hassling somebody, there will probably be plenty of information for the police to easily track down and arrest that troublemaker. So in practice, this is never a problem as far as I’ve heard. (Things get more difficult for a consumer who intentionally makes a purchase from a merchant who then doesn’t deliver on the promised goods/services — but that is a different kind of attack, and not really credit card fraud because the account-holder approved the transaction at the time it was charged.)

As for attack #2, it is foiled by a design that ensures the RF communications never even include an account number, nor any number that is ever usable outside the current transaction. The full explanation requires an understanding of public key cryptography, but conceptually you can imagine the tiny computer chip in the payment token is generating and transmitting a single-use credit card number for each transaction. Credit card companies have issued single-use credit card numbers upon request for about a decade, primarily for users who are concerned (paranoid?) about making purchases online. Only the credit card company can link a single-use number back to the real account number that it was generated for. Contactless transactions are actually a bit more complex, but this should give you an idea of how the payments can be made without ever exposing your account information. So even if an attacker is able to eavesdrop on the transaction data, they won’t see any useful information.

Most credit card fraud today occurs when a (soon-to-be) criminal somehow obtains your credit card or credit card information (name, number, exp date), then goes on a shopping spree. This can easily happen when a waiter takes your card away out of your sight, when a cashier "forgets" to hand the card back to you after swiping it, or maybe even if the person behind you in line at the checkout manages to snap a photo of your card. But contactless payment systems are not vulnerable to this form of fraud at all! Because you don’t ever have to give up possession of the payment token, and it’s not readable by a human, in this way you can consider contactless payments more secure than an ordinary credit card.

Of course, if you manage to lose your payment token, it is possible for the finder to go on a shopping spree just like with a normal plastic card. So you still need to report it to your bank so they can block it.

If I sound like I know what I’m talking about here, it’s probably because I do similar (but much more formal) security analyses for software all the time, after having had lots of training for that task. Now, I must admit I’m far from an expert on RFID payment systems, but at least I can still manage to sound like I know what I’m talking about.

Coming soon, I’ll take a look at the privacy issues.

My phone is also a credit card

Why must I carry a wallet? Paper money is a cumbersome. Physical identification is easily forged. Supermarket club cards are the most annoying thing — if they must track my shopping habits, can’t they recognize me by the credit card I use? And then there’s the unnecessary key ring with metal keys?? Those archaic mechanical locks are so weak they’re just begging for a more secure, convenient, and modern alternative.

There is only one thing that I can accept that is worth carrying with me everywhere: a smart compact digital device that identifies me and connects me to the rest of the world. It is my mobile phone, and it should be so much more. (Until I upgrade my neural implant to support wireless networking.)

At the very least, I should be able to buy things with my phone instead of a credit card. People in Europe and Asia have been swiping their phone at the retail counter for years, so why are we so far behind here in the USA? Well, contactless (RFID) payment systems are finally being rolled out here by Visa, MasterCard, and AmEx, though they’re slow to catch on due to a chicken-and-egg problem: hardly any consumers carry contactless payment devices because very few merchants can accept them, while merchants aren’t interested in setting up the contactless readers when nobody will use them. We need more cool applications like the NYC subway trial to get contactless payments into the mainstream.

Several American credit card issuers will now give out contactless payment devices on request. Some provide an otherwise normal credit card with an integrated RFID chip, while others issue a separate token of some kind. My primary credit card is a Citi MasterCard, and for it I was able to request a "PayPass" device.

Citi sent me a big blue plastic fob meant to go on a key ring. I hate having a big jangly key ring, but that’s okay because I never intended to keep the fob there. Instead I very carefully destroyed it. The plastic case of the fob was pretty thick and strongly welded together, but some tough Cutco utility scissors made short work of it. The functional part is actually just a small sliver.

The actual RFID chip isn’t visible in this photo, but it’s only about 5mm square and 1mm thick. Most of the blue area is a thinner plastic piece that just holds the surrounding RF antenna wires.

Now, I could just stick this sliver in my wallet, so that I can swipe my wallet in front of a contactless reader to make a payment. But as I explained above, my phone is really the proper place for it. Besides, my phone is more easily accessible than my wallet. And there’s a good chance I already had it in my hand because I was checking email while waiting in line at the checkout counter!

 

I was just barely able to fit the RFID sliver underneath the battery cover on the back of my T-Mobile Dash. Now I can swipe my phone in front of a MasterCard PayPass reader to pay for things! I wonder how many funny looks I’ll get from cashiers…

If only the places I shop had PayPass readers. Around here only a few chain stores have them, most prominently Tully’s, McDonald’s, and 7-11. I don’t drink coffee or eat fast food burgers, nor am I a fan of slurpees or any other junk food at 7-11. Maybe if 7-11 sold something really cool, I might stop in… Oh. Awesome.

Anyway, I’m sure there will be more PayPass locations soon enough. How about some gas stations? They pioneered contactless payments in the U.S., but now that regular credit cards are doing it I’d rather not have to maintain a separate account.

Now, some paranoid readers may be eager to bring up concerns about the security and privacy of electronic contactless payments, compared to regular magnetic-swipe cards or paper money. In a future blog entry, I’ll explain why security is basically not a problem for consumers today, while privacy/anonymity is a problem that could easily be solved if only the industry was motivated.

Karaoke Party

This past Sunday evening we had a karaoke party in my basement — probably the biggest and most successful one so far. I hope everyone who came had a great time, I know I did! And to those who didn’t make it, you missed out!

I guess I should say Julie had a party in my basement, since she did most of the organizing; I was just the host. Anyway, this party was in honor our friend Ben, who is leaving Seattle for a job in So-Cal. We’ll miss you Ben!

To anyone who wasn’t there who may be wondering… I don’t hesitate to sing badly in front of a small crowd. Actually, after listening to lots of country music in Oklahoma in the 90′s, I can pretty well nail anything by Garth Brooks. And I can do okay at some more modern pop hits as well. But for next time I’ll have to remember that the average male pop singer has a range much higher than mine — which can be a problem as the night goes on, my voice tires, and my vocal range shrinks. I had to drop an octave for the last verse on one of those songs near the end…

Now, just in case you thought I was being almost hip and anti-geek by hosting a social party, I have to tell you all about the software I wrote for it. It was really quite simple and mostly just took me one evening to put together, but I think it’s actually the most useful software I’ve ever written for personal/home use. (And I have had numerous hobby programming projects over the years…)

First, some background. Karaoke at my place is done on the home theater PC hooked up to the projector in my basement. Saeed and I (mostly Saeed) have purchased a bunch of karaoke CD+G discs and ripped them all onto files on the PC. We’ve built up a pretty good library of over 900 songs so far, spanning a wide variety of popular material. So then we plug a good microphone into the computer and find some software that can play ripped CD+G’s, and we have ourselves a party! We can add songs to a playlist and sing along while the words are displayed on the giant screen (or a small cloned display I setup facing the other way for the singer on the "stage").

The problem with that basic setup is everything is being managed on the one PC. It makes it difficult for people to browse through the song library while someone is using the screen to sing from at the same time. For past parties we had a clunky system arranged where a Windows Explorer window was on one side of the screen, and people could scroll through the files and right-click to get an option to add to the queue. But there was no convenient searching, no sorting by title, you had to be close enough to the screen to read the small text, and the right-click interface was ugly and nonintuitive. I think it was definitely less convenient than the traditional karaoke-machine method of looking through one of multiple books (each sorted by title or artist) and then punching a code into a remote control.

Clearly, it’s just a software problem. And luckily I write software for a living, and still more software for fun! My solution is a three-tiered application for remotely browsing and enqueueing songs, all written in C# in Visual Studio. (BTW I currently work in the Visual Studio division, so that great product has some of my code!) On the player PC is a small controller application which reads the song library from the disk, and takes enqueue requests from the server and passes the songs to the KaraFun playlist. On my home server is an XML web service that exposes web methods for retrieving the library and enqueueing songs; each method call is simply relayed to the controller app on the PC. The client side of the application runs on any computer with internet connectivity, invoking the methods on my web server. It downloads the song library and displays it as a simple list that is sortable by title or artist and searchable by any keywords. Double-clicking on a song sends the enqueue request over the network.

Now, we can place a couple laptop computers around the room where party-goers can easily browse and search the library and enqueue songs, via a wireless internet connection (my WiFi or my roommate’s WiFi or my neighbor’s WiFi…) The song library search feature is pretty slick: it’s a word-wheel type multiple-partial-word match that instantly filters the library as you type. I always wanted to try implementing that kind of search, which can be seen in some recent software like Windows Vista and Media Player 11. It really wasn’t hard at all, so I’m surprised more apps don’t offer it — it’s such a nice way to search.

But wait, it gets better: I can enqueue songs with my phone! The client software can also run on an internet-connected Windows Mobile Pocket PC or Smartphone (like my Dash) because it targets the .NET Compact Framework. However at the party I didn’t promote this usage because the laptops were faster for browsing. The Smartphone app mostly functions well using the exact same code, but I’ll have to complain to someone about the performance of the ListView control provided by NetCF: with 900+ items it is horribly slow, taking over a second just to move the selection down to the next item. Searching is still fast though, because that’s my code and I optimized it. :)

My karaoke remote-control software is named Karemotey.

Due to the specialized nature of my setup, I doubt this software would be useful for many other people out there. But hey, if you’re a random person who stumbled across this page because you have the exact same problem, do let me know and I might be persuaded to share. I have ambitions about adding full playlist-management and other features to the software, but I don’t know if I’ll ever get around to it, since what we have now works very well as it is. I think it’s now better than the traditional karaoke code-book experience.

You’re living in the future!

Or at least you are, relative to when you first read that headline. And here in the future, it has been a rather eventful week for computing technology, if you believe the recent headlines.

• First there was an announcement of the "world’s first commercial quantum computer". Reportedly the 16 qubit computer can leverage the multiverse to play Sudoku, but not much else. So fear not: your encrypted financial transactions are still safe — they’re not remotely close to being able to solve NP-complete problems.
• After that comes an announcement of commercial availability of holographic storage media and drives. For as long as I’ve followed the tech industry (over a decade now), holographic media has promised to offer phenomenal data storage capacity, always just a year or two away. Well now it has finally arrived. The capacity is not too shabby at 300 GB for a CD-sized disk, until you realize that at $180 per blank it’s twice as expensive as a comparable hard drive, and not nearly as fast. Oh, and the read/write drive will run you another $18,000. Surely the prices will drop, but can it catch up with magnetic storage?
• Now just in case the future isn’t spooky enough, prototype RFID chips have gotten as small as sand. Be prepared for absolutely everything to be electronically trackable.
• And this just in… quantum storage — store your data in other universes! Infinite capacity, and complete invulnerability to fire, flood, or supernova! OK, so I made up this last one. I think.

My next car

Finally it looks like someone is making a decent fully-electric production car. Not a wimpy econobox with pathetic range and acceleration, but a desirable sports car that will demonstrate that there are actually advantages to ditching internal combustion even aside from environmental factors. Below is an exceprt, but you can read the full article over at wired.com.

The Tesla Roadster is powered by 6,831 rechargeable lithium-ion batteries — the same cells that run a laptop computer. Range: 250 miles. Fuel efficiency: 1 to 2 cents per mile. 0 to 60 in about 4 seconds. Top speed: more than 130 mph. The first cars will be built at a factory in England and are slated to hit the market next summer.

The biggest drawback seems to be that in between that 250 mile range, you have to allow for a 3 1/2 hour recharge time — so this model isn’t so well-suited for road-trips. But you can bet that battery technology will continue to improve.

 

OK, so this can’t really be my next car until the price drops some — $85K is definitely more than I would spend on a car. But if it’s successful, then others will follow, and there will be lots more options on the market.

Real 3D images projected into mid-air

Scientists in Japan have produced 3D images suspended in air, using focused infrared lasers to stimulate point plasma emissions.

“Networks are dangerous”, security expert says

I noticed a story on c|net today about a new "vulnerability" discovered in Windows XP: it automatically connects to a WiFi network when it is configured to do so. While that’s scary enough, I’ve recently been made aware there is another similar but far more dangerous vulnerability looming out there. It affects not only Windows computers but even those of the Mac and Linux persuasion as well. Millions of innocent users may be at risk without even realizing it.

 

In an effort to better assess the magnitude of this new heretofore unknown threat, I sat down for an interview with Wanna B. Hacker, a distinguished researcher for ScareU Computer Security, Inc.

 

J:	"So Wanna… Can you tell me, in layman’s terms, just what exactly is this threat we are facing?"
WBH:	"There is a network out there, a network so large and so perilous, that just by connecting to it one is exposed to all the evils in the world, evils so treacherous you can’t even comprehend. I believe it is the greatest danger humanity has ever faced."
J:	"Wow! That does sound scary! I hope you can tell us all how to avoid ever coming in contact with such a network."
WBH:	"I could, and if people followed my advice not to do stupid things, then I would be out of a job."
J:	"I’m sure you’re willing to take one for humanity, right?"
WBH:	"Of course! Any day. But they don’t. I mean, people don’t not do stupid things. They are weak, so they’re drawn to this network like flies to… to a web."
J:	"What is it that compels them so?"
WBH:	"Well, according to my research this network lures unsuspecting souls with promises of a vast wealth of useless information and time- and money-wasting entertainment. For example, if you want to know what were the couch gags in the opening sequence of every episode of the Simpsons ever aired, you can find it there. You can post your own arbitrary ramblings in a place where anybody can see but nobody cares, pay double retail price to win something at auction, or participate in a mass hallucination of an alternate life exploring dungeons and slaying dragons. The network even has addictive properties: once someone gets a taste, they reconnect day after day, sometimes several times a day!"
J:	"Sounds great! Where do I plug in?"
WBH:	"No! You’re forgetting the evil! IT’S ALL EVIL! You might get blah blah blah gobbledygook blah blah…"

Wanna went on ranting something about walls of fire and fishing with worms and other random nonsense, but I didn’t catch it all because I decided to just back away quietly. He was obviously suffering from paranoid delusions of I-know-whats-good-for-you. This Internet is a pretty cool place as far as I can see.

Samsung: “the new Sony?”

A few months ago I read something that passingly referred to the Samsung brand as "the new Sony." Since then as I keep up with the latest on the computer and consumer electronics industries the significance of that expression has been coming to light more and more.

 

There was a time not too long ago when Sony was far and away the top brand in consumer electronics. The name Sony implied a product was likely to be high-quality, well-designed, and probably a little more expensive. While the latter is still true, Sony has lost focus on most of what once made their name. Meanwhile Samsung has moved up from the ranks of a cheap no-name alternative to a prominent manufacturer of some of the most well-engineered electronics available.

 

Personally I generally don’t maintain any particular brand loyalties or disloyalties — I buy whatever brand best suits my needs, tastes, and budget at the time. But that has led me to avoid Sony electronics since they started putting litterally 14 different kinds of stupid Memory Stick slots in all their products. Why can’t they use SD like everyone else?? Otherwise their products these days are generally not bad, but not stellar either — meaning the price premium is never justified when there are other quality alternatives available.

 

Enter Samsung. As I said above, "well-engineered" is the best way I can describe their products, and that’s something I appreciate very much. While they don’t exactly exude style (but then not everyone can handle as much style as Apple throws at you :P), they do look slick and I have found their products to do what is expected of them extremely well without any gimmicks. For two years my home PC has been plugged into gorgeous Samsung LCD monitors. (The only thing better than N high-rez displays is N+1!) And I’m planning to upgrade my old Sony beast of a TV with what will most likely be a Samsung LCD or DLP television. Samsung also makes some very nice computers and laptops — unfortunately they’re not available in the U.S., but I saw some in Japan.

 

Part of the reason for Sony’s loss of focus is that they’re trying to be a big media company at the same time. That didn’t have to be a bad thing for them: with good execution they could have totally taken advantage of it. Lucky for Apple they didn’t, so now the Sony Walkman is a relic. The problem is big media companies maintain their distance of at least a decade behind modern technology, while consumer electronics companies of course cannot afford to do so. The recent stupidity of Sony records has even weakened the overall Sony brand, as the CD-spyware fiasco has led many people online to call for a boycott of all Sony products.

 

This article at Wharton explains some other interesting reasons behind Sony’s faltering and Samsung’s success.

Warning: music CDs may install spyware!

In the last few years, the record industry has been experimenting with various forms of copy-protection on music CDs. Their goal is to stop you from using a computer to illegally redistribute the music, and I have no problems with that goal in principle (as long as fair use is preserved). But their methods have become downright underhanded in my opinion.

 

The most "successful" form of music CD copy-protection these days, which is appearing on more and more (popular) albums, installs some special copy-protection software without the user’s knowledge. This software installs silently, does evil, dirty, hackish things to hide itself on the system and intercept the user’s actions, is usually poorly written, and is nearly impossible to uninstall. Sound familiar? I hope you have learned by now what spyware is.

 

If you want to read more details, check out this article from Sysinternals. (Warning: very highly technical.) Sysinternals is a respected independent Windows developer group, responsible for some great free tools that I use all the time in my job: filemon, regmon, process explorer, etc. They were caught unaware by some spyware installed by a popular album from Sony BMG, but then they dive into the Windows internals to figure out just how it works, and how, with much difficulty, it can be removed.

 

All of these CDs use Windows’ autorun feature to activate the software as soon as you insert the CD. Unfortunately, this feature is a holdover from the days when all software, and especially CDs, were implicitly trusted. The good news is that it’s very easy to disable autorun, preventing music CDs from ever installing this software on your computer. You can simply hold down the shift key while inserting an individual CD (and keep holding it for at least 10 seconds or so until the system has acknowledged the CD).

 

Or to permanently disable autorun of all CDs, follow the steps on this page. Afterward in order to launch a CD-ROM you will need to open My Computer, right-click the drive, and choose Autoplay.

 

You might also want to avoid buying any CDs labeled as "copy-protected", since for music CDs that is almost a euphemism for "spyware-infested". Or even better, buy all your music instead from an online service like MSN Music or Napster (or even iTunes if you really feel like you have to follow the cult of Mac). It’s cheaper, faster, and more fun than buying an old-fashioned 3-inch disk at Wal-Mart. While these services still use a form of copy-protection, and it may be a little more restrictive than some people would like, at least they don’t try to do anything deceptive.